Firewall Wizards mailing list archives
Re: Token based OTP: SafeWord or SecurID?
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Sun, 10 Dec 2000 13:39:45 -0500
On Sat, Dec 09, 2000 at 04:15:09PM -0800, Ryan Russell wrote:
On Sat, 9 Dec 2000, Michael H. Warfield wrote:
file" (the Network Administrator here is throughly PISSED that I, of all people, have the ability to use SecureID without one of his precious dongles and has not given me a key file, yet.)
BTW... We have had abysmal luck with the SecureID keyfobs. I've never even used mine and I looked at it one day and the LCD was gibberish.
I used to administer a decent sized userbase of a Safeword tokens. If one of them went nuts (about 1 in 100) we'd give them a new one.
And in the mean time, while they wait for IS, they are down. Typical IS mentality.
I asked said Admin if I needed to stroke the tomaguci more often to keep it happy. He failed to see the humor. That's WHY I want the key file to activate my SecureID calculator on my Palm Pilot. That's also WHY he's so pissy about it. He hates to feel like he had to give in because the damn things are unreliable.
I wouldn't allow my users to use soft tokens either. That's because on a general computing platform like the Palm, it's much, much easier to steal the key without you knowing about it. With the hardware tokens, the attacker has to get it away from you long enough to crack the case, and attach leads to the right pins, etc... If you left your Palm alone long enough (and hadn't taken appropriate measures to precent this) then it would only take me <60 seconds to "dock" it, or beam the keyfile to my Palm.
Which would get you nowhere. My palm is a multifunction device which I use daily and keep with me constantly. I would know in short order if it were missing. The SecureID dongle might get used once in a blue moon, because it's only good for that one purpose. It could "go a walkabout" and I wouldn't know it was missing till the next time I needed it. That could be weeks or even months. Even then, I couldn't be sure it I had merely misplaced it AGAIN or it had "grown legs with assistance". If I compare the times when I set my keys down for hours vs the times when I misplace that PDA, I'm much more comfortable with the PDA solution. If I compare the times I've seen someone's keys sitting on a desk (with them not around) vs the times I've seen a PDA sitting on a desk, I'm more comfortable with the PDA solution. My palm pilot is access protected. You couldn't dock it and get squat. Most people aren't so diligent, I will grant you that much. They should be. You already mentioned that someone who was prepared, could grab the token card and read it out. If I were going to do something like that, I would have a socket already prepared and it only takes a second to peel off that little cover and drop it in place. With the right equipment (pretested and operational) that would take LESS time than docking and syncing up a palm pilot that was NOT crypto protected. It WOULD take more preparation in advance (or maybe not, you have to have a station to sync the palm pilot to) but once you are prepared, you could hit as many as you want. All you then need are the corresponding PINS. NOTE: I really don't know how difficult it would be to design or assemble a "pirate socket" for the fobs. I'm presuming that it shouldn't be too difficult, given access to the regular devices. It might be... Maybe they are crypto protected like a smart card. It would make sense to do it that way where you could load the key but NEVER read the key. Is this the way the fobs work? I don't know. I wouldn't trust any system based on the serial number of the token or on a key which could be read out of the token, however. The SecureID app is password protected. You could shoulder surf the keyfob or even glance at it sitting on the desk. You then have 60 seconds to attack. I've known some guys (hell, some of them work with me) who can remember those kinds of numbers at a glance. They really are that good and really can do it. So there are two levels of security passwords on the PDA (one for the access crypto and one on the Palm app itself), before you even get to the token screen, security which simply does NOT exist with the exposed and constantly viewable fob. The keyfob is much easier to misplace (I certainly don't need another chunk of plastic dangling from my keychain that I rarely use - and I have seen them break as well). The SecureID PIN is sent to the server, typically over an unencrypted channel (forcing logins through https or something similar is not always an option) so the PIN can be compromised. I consider the keyfob / credit card tokens a far greater security risk than someone scarfing my palm pilot. I'm also at far less of a DoS risk from IS when a fob goes tits up.
Ryan
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Dec 08)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 09)
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Dec 10)
- Re: Token based OTP: SafeWord or SecurID? Michael H. Warfield (Dec 12)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 12)
- Re: Token based OTP: SafeWord or SecurID? Michael H. Warfield (Dec 12)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 14)
- Re: Token based OTP: SafeWord or SecurID? Vin McLellan (Dec 10)
- Re: Token based OTP: SafeWord or SecurID? David Wagner (Dec 14)
- Re: Token based OTP: SafeWord or SecurID? Ryan Russell (Dec 09)